[Samba] Samba malformed ACL

Brad C bradleydanecook at gmail.com
Wed Feb 27 10:42:53 GMT 2008 

Hi guys,

I've got a Samba PDC configured, with authenticating off an LDAP backend.

My client is trying to set permissions through Windows, and for some reason
no matter what I try the "everyone" group is always showing up as having
access.

When an admin user tries to set permissions on the share through windows I
get the following errors in my /var/log/messages

Feb 27 11:28:16 northcity smbd[16707]: [2008/02/27 11:28:16, 0]
smbd/posix_acls.c:create_canon_ace_lists(1468)
Feb 27 11:28:16 northcity smbd[16707]:   create_canon_ace_lists: malformed
ACL in inheritable ACL ! Deny entry after Allow entry. Failing to set on
file STORE KPI/filename.txt.

I presume this is because he's try to deny the everyone group access after
it's being allowed at the top.

Below is my smb.conf

[global]
        workgroup = NCW
        server string = Linux server
        passdb backend = ldapsam:ldap://localhost
        username map = /etc/samba/smbusers
        encrypt passwords = yes
        log level = 1
        log file = /var/log/samba/log.%m
        max log size = 1000
        name resolve order = wins bcast hosts
        time server = Yes
        socket options = IPTOS_LOWDELAY TCP_NODELAY
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/local/sbin/smbldap-userdel "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/local/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        logon path =
        logon drive = Z:
        logon home =
        logon script = logon.bat
        domain logons = Yes
        os level = 65
        domain master = yes
        preferred master = Yes
        local master = Yes
        wins support = Yes
        ldap admin dn = cn=Manager,dc=northcity,dc=net
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap passwd sync = Yes
        ldap suffix = dc=northcity,dc=net
        utmp = Yes
        admin users = @"Domain Admins"
        map acl inherit = Yes
        hide files = */desktop.ini/*
        nt acl support = yes
        utmp = yes
        level2 oplocks = yes
        oplocks = yes

[documents at ncw]
        comment = Document share
        path = /data
        create mask = 0770
        force user = root
        writeable = yes
        guest ok = yes

I've tried setting guest ok = no and this makes no difference.
If I do getfacl data/ I get the following.

# file: data
# owner: root
# group: root
user::rwx
group::rwx
group:Domain\040Admins:rwx
mask::rwx
other::---

Below is the output from ls -al on this dir.

drwxrwx---+   8 root  root    4096 Feb 26 17:13 data

I've tried removing perms, changing perms, changing users/groups using
setfacl and normal chown/chmod and nothing I do seems to get rid of the
"everyone" group access.

Below is more info about my samba version and filesystem info.

smbd --version
Version 3.0.26a-SerNet-SuSE
 mount -v
/dev/sda6 on / type reiserfs (rw,acl,user_xattr)
/dev/sdb1 on /data type ext3 (rw,acl,user_xattr)

I've tried the same permissions/acl's on both filesystem types without any
luck.

I'm running SLES9 Linux 2.6.5-7.257-smp #1 x86_64

Any help will be greatly appreciated.

Thanks.

Regards.

More information about the samba mailing list